DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-5079: CVE-2026-5079: Denial of Service via Uncontrolled Resource Consumption in Multer Multipart Parser

#security #cve #cybersecurity

CVE-2026-5079: Denial of Service via Uncontrolled Resource Consumption in Multer Multipart Parser

Vulnerability ID: CVE-2026-5079
CVSS Score: 7.5
Published: 2026-06-17

CVE-2026-5079 is a high-severity Denial of Service (DoS) vulnerability in the Node.js package 'multer'. The vulnerability resides in how its internal dependency, 'append-field', processes deeply nested bracket structures in multipart form field names. If an attacker submits a field name with an excessive number of nested brackets, the parsing process crashes the Node.js runtime environment or exhausts system resources, causing a complete denial of service.

TL;DR

A Denial of Service vulnerability exists in the multer library when parsing deeply nested bracket notations in form field names, leading to application crash or CPU exhaustion.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400
  • Attack Vector: Network
  • CVSS v3.1: 7.5
  • EPSS Score: 0.00278
  • Impact: Denial of Service (DoS)
  • Exploit Status: poc
  • KEV Status: Not Listed

Affected Systems

  • Applications utilizing multer >= 1.0.0 and < 2.2.0 on Node.js runtimes
  • Applications utilizing multer 3.0.0-alpha.1 on Node.js runtimes
  • multer: >= 1.0.0 < 2.2.0 (Fixed in: 2.2.0)
  • multer: == 3.0.0-alpha.1 (Fixed in: 3.0.0-alpha.2)

Exploit Details

  • GitHub: Functional regression tests for field nesting depth limits in tests/nesting-depth.js

Mitigation Strategies

  • Upgrade multer dependency to version 2.2.0 or 3.0.0-alpha.2.
  • Configure limits.fieldNestingDepth to a restrictive non-infinite value.
  • Implement Web Application Firewall (WAF) filtering to drop payloads with highly recurring bracket syntax.

Remediation Steps:

  1. Run the command 'npm install multer@latest' or 'npm install multer@2.2.0' depending on major version requirements.
  2. Search the codebase for multer configuration initialization.
  3. Modify initialization structures to explicitly pass 'limits: { fieldNestingDepth: 3 }'.
  4. Deploy custom Express error-handling middleware to intercept LIMIT_FIELD_NESTING errors and return 400 Bad Request.

References

Read the full report for CVE-2026-5079 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)